Ports Required for Various Services/Applications

TomEastep

Cristian Rodriguez R.

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
“GNU Free Documentation
License”.

2018/06/21

Abstract

In addition to those applications described in the
/etc/shorewall/rules documentation, here are some other
services/applications that you may need to configure your firewall to
accommodate.

Caution

This article applies to Shorewall 3.0 and
later. If you are running a version of Shorewall earlier than Shorewall
3.0.0 then please see the documentation for that release

Important Notes

Note

Shorewall distribution contains a library of user-defined macros
that allow for easily allowing or blocking a particular application.
ls /usr/share/shorewall/macro.*
for the list of macros in your distribution. If you find what you need,
you simply use the macro in a rule. For example, to allow DNS queries
from the dmz zone to the net zone:

#ACTION SOURCE DEST
DNS(ACCEPT) dmz net

Note

In the rules that are shown in this document, the ACTION is shown
as ACCEPT. You may need to use DNAT (see FAQ
30) or you may want DROP or REJECT if you are trying to block
the application.

Example: You want to port forward FTP from the net to your server
at 192.168.1.4 in your DMZ. The FTP section below gives you:

DNS

Note that if you are setting up a DNS server that supports recursive
resolution, the server is the <destination> for
resolution requests (from clients) and is also the
<source> of recursive resolution requests
(usually to other servers in the 'net' zone). So for example, if you have
a public DNS server in your DMZ that supports recursive resolution for
local clients then you would need:

Note

Recursive Resolution means that if the server itself can't resolve
the name presented to it, the server will attempt to resolve the name
with the help of other servers.

Emule

Caution

This information is valid only for Shorewall 3.2 or later.

In contrast to how the rest of this article is organized, for emule
I will give you the rules necessary to run emule on a single machine in
your loc network (since that's what 99.99% of you want to do). Assume
that:

Telnet

Caution

TFTP

You must have TFTP connection tracking support in your kernel. If
modularized, the modules are ip_conntrack_tftp (and ip_nat_tftp if any form of NAT is involved) These
modules may be loaded using entries in
/etc/shorewall/modules. The ip_conntrack_tftp module must be loaded first. Note
that the /etc/shorewall/modules file released with
recent Shorewall versions contains entries for these modules.

Traceroute

UDP traceroute uses ports 33434 through 33434+<max number of
hops>-1. Note that for the firewall to respond with a TTL expired ICMP
reply, you will need to allow ICMP 11 outbound from the firewall. The
standard Shorewall sample configurations all set this up for you
automatically since those sample configurations enable all ICMP packet
types originating on the firewall itself.

Vonage™

The standard Shorewall loc->net ACCEPT policy is all that is
required for Vonage™ IP phone service to work,
provided that you have loaded the tftp helper modules (add the following
entries to /etc/shorewall/modules if they are not there already):